syncfusion-aspnetcore-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseContent Security Policy (CSP) — Syncfusion ASP.NET Core (Security)
内容安全策略(CSP)—— Syncfusion ASP.NET Core(安全)
Use this skill for high-level, Syncfusion-specific CSP guidance and references. Detailed code snippets and implementation examples live in the concern's files.
references本技能提供针对Syncfusion的高级CSP指导和参考。详细的代码片段和实现示例位于相关的文件中。
referencesWhen to Use
适用场景
- Implementing CSP headers for Syncfusion EJ2 controls
- Running in strict CSP mode where inline scripts/styles are restricted
- Adding nonces to inline scripts/styles for Syncfusion initialization
- Allowlisting CDN resources or external fonts required by Syncfusion themes
- 为Syncfusion EJ2控件实施CSP标头
- 在限制内联脚本/样式的严格CSP模式下运行
- 为Syncfusion初始化的内联脚本/样式添加nonce
- 将Syncfusion主题所需的CDN资源或外部字体加入允许列表
Quick Checklist
快速检查清单
- Generate a cryptographically secure nonce per request
- Add the nonce to the CSP header and to all Syncfusion script/style tags
- Allow required CDN origins and font providers in CSP directives
- Avoid /
unsafe-inlineunless absolutely necessaryunsafe-eval - Verify behavior in browser DevTools and address CSP violations
- 为每个请求生成加密安全的nonce
- 将nonce添加到CSP标头以及所有Syncfusion脚本/样式标签中
- 在CSP指令中允许所需的CDN源和字体提供商
- 除非绝对必要,否则避免使用/
unsafe-inlineunsafe-eval - 在浏览器开发者工具中验证行为并解决CSP违规问题
Generic Guidelines (Summary)
通用指南(摘要)
- Generate nonces early in the pipeline and store them in for views
HttpContext - Use minimal, explicit CSP directives (prefer , explicit hostnames, and
'self')'nonce-<value>' - Prefer data binding over inline templates to avoid requirements
unsafe-eval - Document your CSP policy and the reasons for any relaxations
- 在请求流程早期生成nonce,并将其存储在中供视图使用
HttpContext - 使用简洁明确的CSP指令(优先使用、明确的主机名和
'self')'nonce-<value>' - 优先使用数据绑定而非内联模板,以避免对的需求
unsafe-eval - 记录你的CSP策略以及任何放宽限制的原因
References
参考资料
- Main implementation and examples: references/csp-guide.md
- 主要实现和示例:references/csp-guide.md